-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Travis Siegel dixit:
> server, should I move that certificate somewhere else to get lynx to treat it You can apply the certificate bundle MirBSD ships if you trust me enough (IIRC it is also linked in lynx’ documentation). You’ll have to go to the following URLs and download the two files: https://www.mirbsd.org/cvs.cgi/src/etc/ssl.certs.shar?rev=HEAD and https://www.mirbsd.org/cvs.cgi/src/etc/ssl.links.shar?rev=HEAD You’ll need to use a browser/downloader that still supports TLSv1 (and does not require TLSv1.2 like Google’s or Mozilla’s) to get them; unfortunately, the server uses a LE certificate as well so you have a hen-egg problem. Here’s a hash of the latest versions of these files; I’m PGP-signing this eMail, so you have at least another-ish venue to verify them: =====| cutting here may damage your screen surface |===== $ ident ssl.* ssl.certs.shar: $MirOS: src/etc/ssl.certs.shar,v 1.52 2019/05/16 19:55:41 tg Exp $ ssl.links.shar: $MirOS: src/etc/ssl.links.shar,v 1.9 2019/05/16 19:55:43 tg Exp $ $ sha256sum ssl.* 2e9d27cf61fa49dc9ff0bfb9c328221cfad494d7927b8fc84a1423e806dc39ca ssl.certs.shar e7283c4dc4ecc0d67d43b6ec9e1a896119100ddfb9e7f582f11021906a912195 ssl.links.shar =====| cutting here may damage your screen surface |===== Then create a new temporary directory and run ssl.certs.shar there. It will create all the certificate files. You can then generate a nonGNUTLS bundle from that by doing: cat *.[0-9] | sudo dd of=/etc/ssl/certs/ca-certificates.crt Then run ssl.links.shar in that directory, which will create the compatibility symlinks (ssl.certs.shar’s filenames use the OpenSSL 0.x and nonGNUTLS hash; OpenSSL 1.x+ uses a different certificate hash which these symlinks account for). Finally copy all files and symlinks into the final destination, overwriting existing ones: sudo pax -rw -pe *.* /etc/ssl/certs/ # either this… sudo cp -a *.* /etc/ssl/certs/ # … or that… # … followed by: sudo chown 0:0 /etc/ssl/certs/* The first alternative of the copying command needs pax installed, which comes by default on BSD but not many GNU systems; the second uses a GNU coreutils feature and hence only works on those :/ You may also delete the now-expired DST Root certificate (until I manage to update the bundle, a process during which I prune expired ones; this one only expired yesterday and I have not yet got around to doing so): sudo rm /etc/ssl/certs/12d55845.0 # the file sudo rm /etc/ssl/certs/2e5ac55d.0 # the symlink (You might even wish to remove it from the nonGNUTLS bundle /etc/ssl/certs/ca-certificates.crt but it seems to be fine to just leave it there.) That’s it about updating the root certificates on the client. Now older OpenSSL versions not manually patched will still mark the server certificate as expired because the ISRG-root-crosssigned- by-DST-root certificate is still delivered as part of the chain from servers to clients, mostly due to LE still delivering it as element of the official fullchain, a bug which I already reported: https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/328 To fix this, go to all servers *you* have access to and remove the following snippet from every file in /etc/ssl/ and possibly /etc/ssl/private/ that contains it: -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- You can see it’s the right one by piping through “openssl x509 -text” which will show (starting around line 7 or so): Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 Validity Not Before: Jan 20 19:14:03 2021 GMT Not After : Sep 30 18:14:03 2024 GMT Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1 (In case you wonder: it’s not this one which is expired but it’s signed from “DST Root CA X3” and *that* is the one having expired:) Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 Then restart affected services (or the entire server, if unsure). I’m doing mine right now, so give me some minutes to do that for MirBSD’s machines… Good luck, //mirabilos - -- > Wish I had pine to hand :-( I'll give lynx a try, thanks. Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJhVffxAAoJEHa1NLLpkAfgbqIP/i1dQNJw99oTsEd0UuEuiI1J 2vjLB/tb5X2sf5b+78W0/zuXMJ2Xxakj9WtSJ2uRvaCLw/80STMNlM1O416FH9jV QPb5udg/3lEe9Sccorv/bMtndhV/sjLj96HsCcwwFi8O+AffCWhNcNCw67J+j8Yt 6+pZIrOcc9AbtpqHYfAr7RgHHQepoA9w+j+/XykLauGp4g/XGvymD1/DKXqUIDNn 74M0zAoFDBvHVSS9AbYQ6dY9VXoB2aX2ahe6PEKYiCU4GSQ3a+hOYOsmvF6cWzvt /Na7fu9gQPG02yWDcIPp0VemF5IJuByGnF0NVSFyAzLTXmPestBlyMTjBbTmZb4T yFpDhc5ibQbFiBNyM9hqAqVN8V0O9nyVmLBUbMqsGW4Dk/FYtWpWHff42f+YY6PG vo8cfK3qOAxNyY/2DhzxSQKoa4fbarVzfJ9cpSBllWL8ztlsD5pF+CRl+ILCjq7H WMB4UtUNp7fGxL38qN6e5oriszP6UJ8jV87m3FjNgZ814qKoMPGfJo7+dW4f/k8S /qhrjueRxxvzI4CYwZrWSLejmUEn1s5L2LndvEndjwnVg0AF3IjEUoQch4rILs9P IbNsmN/oUh/75ylUh9HyTNm0ZzSxz6iOx7IxVwNN7xyObqzMKF/aQQwtLL6karhY wu8khEOFfFqDyoFwSHc2 =nDpF -----END PGP SIGNATURE-----
